Shipt Subdomain TakeOver via HeroKu ( )

 ( ) Subdomain Takeover via HeroKu

I notice that Shipt become Public Program

so I started scan for Subdomain TakeOver 
by Takeover tool edited by me

Then it detected  there is a possible Takeover on 
As it has a A record 

tried to go directly to 

The Page was not found 😀 

So I claimed it on HeroKu 

 Then I uploaded a Simple Node.js to Provide more POC only 

The Team was very fast 
Reported to  : Shipt Jul 28th

Triaged : 28th

Fixed  and rewarded in 10 min


Post a Comment


  1. Assalamualaikum brother can you that subdomain scanner tool which you have developed?

  2. Please check your facebook message inbox ..Need urgent help

  3. can you provide the step by step guide to do it

  4. Can you please provide step by step procedure

  5. While following your report I tried to claim one of the subdomain. However I am getting the error stating that "Domain is currently use by another app". Am I missing something? Help appreciated.

    1. Sorry But this mean you can't claim it .. its already in another account

  6. in the case of connecting from shopify itself, when you tried to connect to those vulnerable subdomains and then verified the connection , did a message appear to you that this domain is available and you need to buy it for 14.00$ ?? or you were automatically redirected into those subdomains after verifying the connection ?

    i'm confused a little if i should buy this subdomain and report it or not

    thanks in advance

    1. if you mean mean you want to report it to Shopify Program .. Don't waste your Time and money they don't Pay